Thomas Boutell
2005-Mar-08 02:11 UTC
[Samba] Unable to set ACLs with Samba 3.0.11, near publication deadline
Hello, Jeremy and Jerry, I met both of you at LinuxWorld in Boston, where I learned tons and tons of great stuff from your presentations. I'm writing on deadline for publication and would really, really, really like to show off Samba's ability to map NT ACLs to POSIX ACLs. But right now, I can't make them work. I've spent some time on the Samba list trying to make this work, but haven't received much of a response. I'm also CC'ing David Sonenberg who has reported the same or a similar problem in well documented emails to the samba list. I've made the effort to pull together as much information about my configuration as possible in the hopes that we can nail down this bug, or user error, or whatever it turns out to be in time to write great things about Samba's abilities in this area. Thank you! * * * So, here's the configuration: * Samba 3.0.11, from the samba.org Fedora Core 3 RPMs * Fedora Core 3 * ext3 fs mounted with acls on, setfacls and getfacls work great * winbind in use in nsswitch.conf * The server is a member of a Windows 2003 Active Directory domain The share in question looks like this on the server: [root@ADSambaFP1 samba]# !ls ls -l /research total 16 -rw-r--r-- 1 AD\marketperson1 10003 33 Feb 21 21:16 research1.txt -rw-r--r-- 1 AD\marketperson1 10003 34 Feb 21 21:16 research2.txt I can reproduce the problem using the smbcacls tool. There's quite a bit of debugging information included below. At the end of this message you will also find: * The relevant part of "getent passwd" * The relevant part of "getent group" If you need any further information or assistance from me to resolve this please don't hesitate to ask. Thank you very much! * * * [root@ADSambaFP1 samba]# !smbc smbcacls //localhost/research research1.txt -a ACL:AD\\marketinggroup:ALLOWED/0/RWX -U AD\\marketperson1 added interface ip=192.168.2.211 bcast=192.168.2.255 nmask=255.255.255.0 Password: Connecting to host=localhost Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=99) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=adsambafp1$@AD.CORP.COM Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 Connecting to host=localhost Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=99) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=adsambafp1$@AD.CORP.COM Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 lsa_io_sec_qos: length c does not match size 8 Failed to parse ACL ACL:AD\marketinggroup * * * getent passwd | grep marketperson1 AD\marketperson1:x:10021:10000:Marketperson1:/home/AD/marketperson1:/bin/bash * * * getent group | grep marketperson1 AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1 -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/
smc+samba@dogphilosophy.net
2005-Mar-08 18:31 UTC
[Samba] Unable to set ACLs with Samba 3.0.11, near publication deadline
I'd be interested in finding out whatever information comes of your query as well - I think I'm running into the same limitations. In short, I've added a Samba file sharing server to an existing "ActiveDirectory" domain. It seems to work fine, except that the Windows administrator there is complaining about the "chunky" permissions scheme (he can't revoke "part of" the write access in the Windows security tab for the share - any "write" box checked ends up coming back as "full access" on update, I presume because it's just being mapped to the *nix "write" permission rather than enforcing the more fine-grained permissions which I gathered should have been stored as extended attributes...) Is the capability to support the Windows permissions model new in 3.0.11 or later? On Monday 07 March 2005 07:04 pm, Thomas Boutell wrote:> Hello, Jeremy and Jerry, > > I met both of you at LinuxWorld in Boston, where I learned tons and tons > of great stuff from your presentations. > > I'm writing on deadline for publication and would really, really, really > like to show off Samba's ability to map NT ACLs to POSIX ACLs. But right > now, I can't make them work. I've spent some time on the Samba list > trying to make this work, but haven't received much of a response. I'm > also CC'ing David Sonenberg who has reported the same or a similar problem > in well documented emails to the samba list. > > I've made the effort to pull together as much information about > my configuration as possible in the hopes that we can nail down > this bug, or user error, or whatever it turns out to be in time > to write great things about Samba's abilities in this area. > > Thank you![...]
Thomas Boutell
2005-Mar-08 22:08 UTC
[Samba] Re: Unable to set ACLs with Samba 3.0.11, near publication deadline
Anybody have a roadkill cookbook? Because I have some crow to eat, and I'm not sure how best to prepare it. Sigh. I didn't have writable = yes set on the share. The fact that smbcacls didn't work (and still doesn't work!) blinded me to this more obvious issue. Once I set writable = yes, of course, I was able to change acls from a true Windows client... which was of course my actual goal. I'd created my test files in advance on the Linux side, so the no-write-permissions-at-all issue wasn't obvious at any other time. Thanks for the attention you gave to the matter. Next time, if I'm not able to spot the issue myself, I'll be sure to include my *entire* smb.conf in the report. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/